In an age of drone strikes and state-sponsored hacking, the boundary between conventional acts of war and digital aggression is blurring. For insurers, the question is pressing: when might a hostile cyber campaign be classified as war, and thus provide grounds to deny claims under war exclusions?
Reports in recent months suggest renewed Russian attempts at drone incursions and cyber intrusion in Europe and beyond. These developments amplify a longstanding debate in the insurance world: when does a cyber operation become a “warlike” act and who bears the loss?
A recent article from Marsh McLennan highlights the ambiguity inherent in traditional war exclusions when applied to cyber operations. The piece notes that many policies exclude losses caused by “war or warlike action,” but those terms were conceived for kinetic warfare. not for remote code, espionage, or sabotage in cyberspace.
As Marsh McLennan explains, two major questions bedevil the issue: first, can the attack be attributed to a sovereign state? Denmark’s politicians obviously suspect Russians to be behind their recent airspace closures, but can’t prove it so far. Second, is it characterisable as warlike conduct? Identifying the actor behind a cyber operation is notoriously challenging. Even when a government later attributes the attack, political, diplomatic or legal motives may shade the assessment.
On the question of characterisation, Marsh McLennan notes that courts have long relied on indicators of physical force, proximity to theatres of war or uniformed combatants, factors that may not translate neatly to digital incursions.
In Merck v. Ace American Insurance (a US case), the court declined to apply a standard war exclusion to a cyber event, reasoning that insurers must define exclusions more clearly for cyber to fall within them. The court also applied the doctrine of contra proferentum, which resolves ambiguous terms against the insurer. The decision left many open questions unresolved about state-attributable cyber warfare.
Marsh McLennan points to efforts by industry groups, including the LMA and the Geneva Association, to refine war and cyber exclusion clauses. Their model "cyber war and cyber operation exclusion" clauses adopt definitions of “cyber operation” broadly to encompass state-attributed digital activity, including those short of pure kinetic war. They also propose a “spectrum of state responsibility” to clarify when state involvement is sufficient for exclusion to kick in.
The issues is, however, how many different clauses are currently in operation. Aaron Le Marquer, head of insurance policyholder disputes at Stewarts, told the Financial Times that there are at least 48 variations of the cyber “war exclusion” circulating in the market . Some exclude losses indirectly arising from war, a formulation that could sweep in a wide range of state-linked activity.
In practice, insurers may seek to deny claims on the basis that a major cyber disruption is part of a state’s hostile campaign—classifying the act under a war exclusion. But given ambiguities in attribution and characterization, such denials may face challenges, especially where policy wording is vague.
For policyholders, the risk is acute. A war exclusion could leave the insured with nobody to bear the cost, even when the damage is extensive. But marshaling that challenge is complex; effective recourse may depend on whether arbitrators, courts or regulatory bodies accept more modern interpretations of war and state cyber responsibility.
In light of the escalating tension on the Russian border at the moment, insurers, brokers and risk professionals should:
With strategic cyber warfare rising, the insurance sector cannot rely on old war exclusion templates. The drive now is toward modernised contract language that can distinguish between espionage, disruption, sabotage—and full-scale warlike acts.
If insurers lean too heavily on war exclusions without refinement, they risk eroding the credibility of cyber coverage. The alternative is a more nuanced approach—arguably the only way to preserve the integrity of cyber insurance in a contested, digital age.
